Suricata

Spun off from #7847.

#7847 asks for byte_extract variables to be usable as input to the xor
transform (and later other keywords). That approach requires engine-core
changes, because transforms execute before byte_extract variables are
produced, and any transform that consumes a runtime variable must be
disqualified from prefilter/MPM. That work stays in #7847.

This ticket covers a narrower, self-contained capability that serves a
large subset of the same use case: extracting a transform key directly
from the buffer at transform time, without involving byte_extract.

The xor transform gains an inline spec that reads the key from the
inspected buffer:

    xor:"<hex_key>" 
    xor:var <nbytes> <offset>
    xor:offset <N>,"<hex_key>" 
    xor:offset <N>,var <nbytes> <offset>

var <nbytes> <offset> reads <nbytes> bytes at buffer position <offset>
at transform time and uses them as the xor key. Because byte_extract is
not involved, the same-buffer and absolute-offset constraints of the
byte_extract approach do not apply: the inline spec works with any buffer
in both prefilter (MPM) and full-inspection contexts.

Scope:
- The key must live at a fixed, rule-time-known offset. Cases where the
key's location is itself dynamic (e.g. a length-prefixed field whose
length must be byte_extracted first) are NOT covered here and remain
part of #7847.